Affected versions of airbrake default to sending environment variables over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible for them to capture and read these environment variables, which may result in leaking sensitive information.
Update to version 0.4.0 or later, or upgrade from the now-deprecated airbrake module to its replacement, airbrake-js.
| Score | Percentile |
|---|---|
| 0.30% | 52.89% |
No CVSS scores in this advisory.
| Type | Value |
|---|---|
| GHSA | GHSA-856x-cp3q-47vg ↗ |
| CVE | CVE-2016-10530 ↗ |
| CWE id | Name |
|---|---|
| CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| npm | airbrake | < 0.4.0 | 0.4.0 | — |